|
 ABSTRACT
We describe a new attack against web authentication, which we call dynamic pharming. Dynamic pharming works by hijacking DNS and sending the victim's browser malicious Javascript, which then exploits DNS rebinding vulnerabilities and the name-based same-origin policy to hijack a legitimate session after authentication has taken place. As a result, the attack works regardless of the authentication scheme used. Dynamic pharming enables the adversary to eavesdrop on sensitive content, forge transactions, sniff secondary passwords, etc. To counter dynamic pharming attacks, we propose two locked same-origin policies for web browsers. In contrast to the legacy same-origin policy, which regulates cross-object access control in browsers using domain names, the locked same-origin policies enforce access using servers' X.509 certificates and public keys. We show how our policies help two existing web authentication mechanisms, client-side SSL and SSL-only cookies, resist both pharming and stronger active attacks. Also, we present a deployability analysis of our policies based on a study of 14651 SSL domains. Our results suggest one of our policies can be deployed today and interoperate seamlessly with the vast majority of legacy web servers. For our other policy, we present a simple incrementally deployable opt-in mechanism for legacy servers using policy files, and show how web sites can use policy files to support self-signed and untrusted certificates, shared subdomain objects, and key updates.
REFERENCES
Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.
| |
1
|
Martin Abadi, T. Mark A. Lomas, and Roger Needham. Strengthening passwords. Technical Report 1997-033, SRC, September 1997.
|
| |
2
|
P. Akritidis , W. Y. Chin , V. T. Lam , S. Sidiroglou , K. G. Anagnostakis, Proximity breeds danger: emerging threats in metro-area wireless networks, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-16, August 06-10, 2007, Boston, MA
|
| |
3
|
Anti-phishing working group. http://www.antiphishing.org/.
|
| |
4
|
Bank of America Sitekey: Online banking security. http://www.bankofamerica/privacy/sitekey/.
|
| |
5
|
Stephen Bell. Invalid banking cert spooks only one user in 300. Computer World New Zealand, http://www.computerworld.co.nz/news.nsf/NL/-FCC8B6B48B24CDF2CC257002001%8FF73,May 2005.
|
| |
6
|
Sonia Chiasson , P. C. van Oorschot , Robert Biddle, A usability study and critique of two password managers, Proceedings of the 15th conference on USENIX Security Symposium, p.1-1, July 31-August 04, 2006, Vancouver, B.C., Canada
|
| |
7
|
Tyler Close. Petname tool. http://petname.mozdev.org/.
|
| |
8
|
Tyler Close. Waterken YURL. http://www.waterken.com/dev/YURL/httpsy/.
|
 |
9
|
|
| |
10
|
|
| |
11
|
Earthlink Toolbar Featuring ScamBlocker for Windows Users. http://www.earthlink.net/software/free/toolbar/.
|
| |
12
|
|
| |
13
|
Alan O. Freier, Philip Karlton, and Paul C. Kocher. The SSL Protocol Version 3.0. http://wp.netscape.com/eng/ssl3/, 1996.
|
| |
14
|
Batya Friedman , David Hurley , Daniel C. Howe , Edward Felten , Helen Nissenbaum, Users' conceptions of web security: a comparative study, CHI '02 extended abstracts on Human factors in computing systems, April 20-25, 2002, Minneapolis, Minnesota, USA
[doi> 10.1145/506443.506577]
|
| |
15
|
Batya Friedman , David Hurley , Daniel C. Howe , Helen Nissenbaum , Edward Felten, Users' conceptions of risks and harms on the web: a comparative study, CHI '02 extended abstracts on Human factors in computing systems, April 20-25, 2002, Minneapolis, Minnesota, USA
[doi> 10.1145/506443.506510]
|
| |
16
|
Kevin Fu , Emil Sit , Kendra Smith , Nick Feamster, Dos and don'ts of client authentication on the web, Proceedings of the 10th conference on USENIX Security Symposium, p.19-19, August 13-17, 2001, Washington, D.C.
|
| |
17
|
Eran Gabber , Phillip B. Gibbons , Yossi Matias , Alain J. Mayer, How to Make Personalized Web Browising Simple, Secure, and Anonymous, Proceedings of the First International Conference on Financial Cryptography, p.17-32, February 24-28, 1997
|
| |
18
|
|
| |
19
|
|
| |
20
|
David Goldsmith. How a 'Catch-22' Turns into a 'Shame on You'. http://isc.sans.org/diary.html?storyid=1230, March 2006.
|
| |
21
|
Anti-Phishing Working Group. Ebay - Update Your Account MITM attack. http://www.antiphishing.org/phishing_archive/05-03-05_Ebay/05-03-05_Eba%y.html.
|
| |
22
|
Princeton Secure Internet Programming Group. DNS attack scenario. http://www.cs.princeton.edu/sip/news/dns-scenario.html, February 1996.
|
| |
23
|
Peter Gutmann. Why isn't the Internet secure yet, dammit. In AusCERT Asia Pacific Information Technology Security Conference 2004, May 2004.
|
| |
24
|
|
| |
25
|
Amir Herzberg and Ahmad Gbara. Security and Identification Indicators for Browsers against Spoofing and Phishing Attacks. Cryptology ePrint Archive, Report 2004/155, 2004.
|
| |
26
|
|
| |
27
|
Yao-Wen Huang , Fang Yu , Christian Hang , Chung-Hung Tsai , Der-Tsai Lee , Sy-Yen Kuo, Securing web application code by static analysis and runtime protection, Proceedings of the 13th international conference on World Wide Web, May 17-20, 2004, New York, NY, USA
[doi> 10.1145/988672.988679]
|
| |
28
|
ING direct privacy center. https://home.ingdirect.com/privacy/privacy_security.asp?s=newsecurityfe%ature.
|
| |
29
|
Collin Jackson , Adam Barth , Andrew Bortz , Weidong Shao , Dan Boneh, Protecting browsers from dns rebinding attacks, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA
[doi> 10.1145/1315245.1315298]
|
| |
30
|
Collin Jackson, Daniel R. Simon, Desney S. Tan, and Adam Barth. An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks. In Proceedings of Usable Security (USEC '07), February 2007.
|
| |
31
|
Martin Johns. On XSRF and Why You Should Care. Talk at the PacSec 2006 conference, http://www.informatik.uni-hamburg.de/SVS/personnel/martin/psj06johns-e.%pdf,November 2006.
|
| |
32
|
Martin Johns. (Somewhat) breaking the same-origin policy by undermining DNS pinning. http://shampoo.antville.org/stories/1451301/, August 2006.
|
| |
33
|
Martin Johns. Using Java in anti DNS-pinning attacks. http://shampoo.antville.org/stories/1566124/, February 2007.
|
| |
34
|
Martin Johns and Justus Winter. RequestRodeo: Client Side Protection against Session Riding. In Proceedings of the OWASP Europe 2006 Conference, refereed papers track, Report CW448, pages 5--17. Departement Computerwetenschappen, Katholieke Universiteit Leuven, May 2006.
|
| |
35
|
Nenad Jovanovic, Engin Kirda, and Christopher Kruegel. Preventing cross site request forgery attacks. In Proceedings of the Second IEEE Conference on Security and Privacy in Communications Networks (SecureComm), August 2006.
|
| |
36
|
Kanatoko. Anti-DNS Pinning (DNS Rebinding) + Socket in FLASH. http://www.jumperz.net/index.php?i=2&a=3&b=3, January 2007.
|
| |
37
|
Alan H. Karp. Site-specific passwords. Technical Report HPL-2002-39R1, HP Labs, 2002.
|
| |
38
|
|
| |
39
|
|
| |
40
|
Uriel Maimon. Universal Man-in-the-Middle Phishing Kit - why is this even news? http://www.rsa.com/blog/entry.asp?id=1160.
|
| |
41
|
Chris Masone, Kwang-Hyun Baek, and Sean Smith. WSKE: Web Server Key Enabled Cookies. In Proceedings of Usable Security (USEC), February 2007.
|
| |
42
|
Adam Megacz. XWT Foundation Advisory: Firewall circumvention possible with all browsers. http://www.megacz.com/research/papers/sop.txt, July 2002.
|
| |
43
|
Microsoft. Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers. http://blogs.msdn.com/ie/archive/2005/11/21/495507.aspx.
|
| |
44
|
Microsoft. Mitigating cross-site scripting with HTTP-only cookies. http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp.
|
| |
45
|
Microsoft. Microsoft security bulletin MS01-017: Erroneous VeriSign-issued digital certificates pose spoofing hazard. http://www.microsoft.com/technet/security/Bulletin/MS01-017.mspx, March 2001.
|
| |
46
|
Mozilla Bugzilla bug 149943 - Princeton-like exploit may be possible. https://bugzilla.mozilla.org/show_bug.cgi?id=149943.
|
| |
47
|
Mozilla Bugzilla bug 162871 - DNS: problems with new DNS cache ("pinning" forever). https://bugzilla.mozilla.org/show_bug.cgi?id=162871.
|
| |
48
|
Mozilla Bugzilla bug 205726 - nsDnsService rewrite. https://bugzilla.mozilla.org/show_bug.cgi?id=205726.
|
| |
49
|
Mozilla Bugzilla bug 245609 - Mozilla not getting certificate issuer from Authority Information Access CA Issuers, June 2004.
|
| |
50
|
mozilla.dev.security. VeriSign Class 3 Secure Server CA http://groups.google.com/group/mozilla.dev.security/browse_thread/threa%d/6830a8566de24547/0be9dea1c274d0c5, March 2007.
|
| |
51
|
mozilla.org. The same-origin policy. http://www.mozilla.org/projects/security/components/same-origin.html.
|
| |
52
|
Netcraft anti-phishing toolbar. http://toolbar.netcraft.com/.
|
| |
53
|
Gunter Ollmann. The pharming guide. http://www.ngssoftware.com/papers/ThePharmingGuide.pdf.
|
| |
54
|
Stefano Di Paola and Giorgio Fedon. Subverting Ajax. In 23rd Chaos Communication Congress, December 2006.
|
| |
55
|
Bryan Parno, Cynthia Kuo, and Adrian Perrig. Phoolproof phishing prevention. In Proceedings of Financial Cryptography (FC '06), February 2006.
|
| |
56
|
Washington Post. Citibank Phish Spoofs 2-Factor Authentication. http://blog.washingtonpost.com/securityfix/2006/07/citibank_phish_spoof%s_2factor_1.html.
|
| |
57
|
Washington Post. Not Your Average Phishing Scam. http://blog.washingtonpost.com/securityfix/2007/01/not_your_average_ama%zon_phishi.html.
|
| |
58
|
PTFB Pro. http://www.ptfbpro.com/.
|
| |
59
|
Venugopalan Ramasubramanian and Emin Gun Sirer. Perils of transitive trust in the Domain Name System. In Proceedings of the Internet Measurement Conference (IMC), October 2005.
|
| |
60
|
Nicholas Rosasco and David Larochelle. How and why more secure technologies succeed in legacy markets: Lessons from the success of SSH. In Proceedings of the Second Annual Workshop on Economics and Information Security, May 2003.
|
| |
61
|
Jim Roskind. Attacks against the netscape browser. Invited talk, RSA conference, April 2001.
|
| |
62
|
Blake Ross , Collin Jackson , Nick Miyake , Dan Boneh , John C. Mitchell, Stronger password authentication using browser extensions, Proceedings of the 14th conference on USENIX Security Symposium, p.2-2, July 31-August 05, 2005, Baltimore, MD
|
| |
63
|
Stefan Santesson and Russell Housley. Internet X.509 Public Key Infrastructure Authority Information Access Certificate Revocation List (CRL) Extension. http://www.ietf.org/rfc/rfc4325.txt, December 2005.
|
| |
64
|
|
| |
65
|
Security Space and E-Soft. Secure Server Survey. http://www.securityspace.com/s_survey/sdata/200704/certca.html, May 2007.
|
| |
66
|
Rajiv Shah and Christian Sandvig. Software Defaults as De Facto Regulation: The Case of the Wireless Internet. In The 33rd Research Conference on Communication, Information, and Internet Policy, September 2005.
|
| |
67
|
Christopher Soghoian and Markus Jakobsson. A Deceit-Augmented Man In The Middle Attack Against Bankof America's SiteKey Service. http://paranoia.dubfire.net/2007/04/deceit-augmented-man-in-middle-atta%ck.html, April 2007.
|
| |
68
|
Josh Soref. DNS: Spoofing and Pinning. http://viper.haque.net/~timeless/blog/11/.
|
| |
69
|
Spoofstick. http://www.spoofstick.com/.
|
| |
70
|
Sid Stamm, Zulfikar Ramzan, and Markus Jakobsson. Drive-by pharming. Technical Report 641, Indiana University Computer Science, December 2006.
|
| |
71
|
Win Treese and Eric Rescorla. The Transport Layer Security (TLS) Protocol Version 1.1. http://tools.ietf.org/html/rfc4346, 2006.
|
| |
72
|
Alex Tsow. Phishing with consumer electronics - malicious home routers. In Models of Trust for the Web Workshop at the 15th International World Wide Web Conference (WWW2006), May 2006.
|
| |
73
|
Alex Tsow, Markus Jakobsson, Liu Yang, and Susanne Wetzel. Warkitting: the drive-by subversion of wireless home routers. Journal of Digital Forensic Practice, 1(3), November 2006.
|
| |
74
|
Vanguard security center. https://flagship.vanguard.com/VGApp/hnw/content/UtilityBar/SiteHelp/Sit%eHelp/SecurityCenterOverviewContent.jsp.
|
| |
75
|
VeriSign. Licensing VeriSign Certificates Securing Multiple Web Server and Domain Configurations. http://www.verisign.com/static/001496.pdf, June 2005.
|
| |
76
|
VivilProject. List of public DNS servers.
|
| |
77
|
|
| |
78
|
|
| |
79
|
|
| |
80
|
Wei Xu , Sandeep Bhatkar , R. Sekar, Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks, Proceedings of the 15th conference on USENIX Security Symposium, p.9-9, July 31-August 04, 2006, Vancouver, B.C., Canada
|
| |
81
|
Yahoo sign-in seal. http://security.yahoo.com/.
|
| |
82
|
|
| |
83
|
|
| |
84
|
|
| |
85
|
Jim Youll. Fraud vulnerabilities in SiteKey security at Bank of America. cr-labs.com/publications/SiteKey-20060718.pdf, July 2006.
|
| |
86
|
Yue Zhang, Serge Egelman, Lorrie Faith Cranor, and Jason Hong. Phinding phish: Evaluating anti-phishing tools. In Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS 2007), February 2007.
|
CITED BY 8
|
|
|
|
|
|
|
|
Collin Jackson , Adam Barth , Andrew Bortz , Weidong Shao , Dan Boneh, Protecting browsers from dns rebinding attacks, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Adobe Acrobat
QuickTime
Windows Media Player
Real Player
Pdf
C.2